Android 15’s security and privacy features are the update’s highlight

New tools aim at phone snatchers, snooping kids or partners, and cell hijackers.

Credit: Google

Android 15 started rolling out to Pixel devices Tuesday and will arrive, through various third-party efforts, on other Android devices at some point. There is always a bunch of little changes to discover in an Android release, whether by reading, poking around, or letting your phone show you 25 new things after it restarts.

In Android 15, some of the most notable involve making your device less appealing to snoops and thieves and more secure against the kids to whom you hand your phone to keep them quiet at dinner. There are also smart fixes for screen sharing, OTP codes, and cellular hacking prevention, but details about them are spread across Google’s own docs and blogs and various news site’s reports.

Here’s what is notable and new in how Android 15 handles privacy and security.

 Scroll down your all-apps list and you’ll see a lock at the bottom and a new kind of panel you can pull up.Google

 Unlocking the Private Space with biometric or passkey reveals the apps that have been tucked down there.Google

Private Space for apps

In the Android 15 settings, you can find “Private Space,” where you can set up a separate PIN code, password, biometric check, and optional Google account for apps you don’t want to be available to anybody who happens to have your phone. This could add a layer of protection onto sensitive apps, like banking and shopping apps, or hide other apps for whatever reason.

In your list of apps, drag any app down to the lock space that now appears in the bottom right. It will only be shown as a lock until you unlock it; you will then see the apps available in your new Private Space. After that, you should probably delete it from the main app list. Dave Taylor has a rundown of the process and its quirks.

It’s obviously more involved than Apple’s “Hide and Require Face ID” tap option but with potentially more robust hiding of the app.

Ars Video

What Happens to the Developers When AI Can Code? | Ars Frontiers

Hiding passwords and OTP codes

A second form of authentication is good security, but allowing apps to access the notification text with the code in it? Not so good. In Android 15, a new permission, likely to be given only to the most critical apps, prevents the leaking of one-time passcodes (OTPs) to other apps waiting for them. Sharing your screen will also hide OTP notifications, along with usernames, passwords, and credit card numbers.

This might also prevent apps from doing the convenient thing of automatically pasting codes they are expecting, but it’s likely a good trade-off. Google notes that there are exceptions for apps with companion apps for wearables (i.e., Pixel Watch).

AI-powered Theft Detection Lock, Remote Lock, and Offline Device Lock

Thieves’ tactics are constantly evolving. One of the more effective ways to steal a phone—and steal something of value from it before the owner can remotely lock it—is to yank it from the owner’s hands. So long as the phone is unlocked and functional, a thief who gets far enough away can check emails, apps, and messages for rich targets, like money transfer or banking apps.

Android’s theft protection, i.e., Plan B after a phone jacking.

Theft Detection Lock on Android uses AI to sense if someone has yanked a phone and is rapidly moving away with it, automatically locking the phone if so. Google’s security blog post on the feature suggests it uses “on-device machine learning” to “analyze various device signals” and determine if a device was yoinked. Google is unlikely to give away the full details of what it’s looking for.

If theft detection didn’t work, there are at least two backups. Offline Device Lock activates if the Internet connection is disabled on your phone. And, using another device, you can use Remote Lock at android.com/lock to quickly lock your device with a phone number and a security challenge. It’s a faster way to secure your device while you use Find My Device to locate and further lock your gear.

Those three key features—Theft Detection Lock, Offline Device Lock, and Remote Lock—are not exclusive to Android 15 but are rolling out along with its release. Users on Android 10 or higher should get a Google Play Services update to enable the features, though they’ll have to be turned on in the device settings.

Live Threat Detection in Google Play Protect

Having an AI core raising the cost of your Pixel may not be an entirely bad thing. In Android 15, the app-scanning Google Play Protect will start using on-device AI from the “Private Compute Core” to “analyze additional behavioral signals related to the use of sensitive permissions and interactions with other apps and services.”

Should strange happenings be detected, users can send the suspect app to Google for further review and disable the app from a notification in the meantime.

Cellular security

It can be easy to forget that your phone is actually a phone and is constantly communicating over the air. It’s one of the most vulnerable parts of a phone, and Android 15 does some things to address the cellular part of your cell phone—even if none of them are available yet, even on Pixel phones.

Android 15 can tell users when they’re using an unencrypted cellular connection to prevent potential interception or injection of their traffic or SMS messages. Certain “at-risk users like journalists or dissidents” can be alerted to potentially false cellular base stations or attempts to identify their device. But these features are not on by default and require “OEM integration and compatible hardware,” with Google saying it expects OEM adoption “over the next couple of years.”

Little changes to deeper settings

Should a thief or snoop have access to your phone before you can lock it, Android 15 has instituted some smarter defaults for making changes to deeper settings, including:

• Changing something in the Find My Device settings requires either a PIN, account password, or biometric verification.
• Logging in multiple times with the wrong PIN or password will lock the device for some time (similar to iOS’s lock-out).
• Google says that “enhanced factory reset protection” will make it harder to wipe a device if you don’t have the owner’s Google account credentials.
• Identity Check is an opt-in feature that always asks for biometric authentication when changing critical settings or accessing passkeys from previously unused locations.
• There’s now a device toggle for sending your device name to network and Bluetooth connections.
• Android devices put into Lockdown mode now entirely block USB data access to accessories and computers, which should block attacks over ADB (Android debugging bridge) channels.